The Summation-Truncation Hybrid: Reusing Discarded Bits for Free - - PowerPoint PPT Presentation

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free

Aldo Gunsing and Bart Mennink Crypto 2020

1 / 14

PRP vs. PRF

◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES

2 / 14

PRP vs. PRF

◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility

2 / 14

PRP vs. PRF

◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure

2 / 14

PRP vs. PRF

◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure ◮ Prominent example: CTR mode P P P 1 2 x0 x1 x2 y0 y1 y2 F F F 1 2 x0 x1 x2 y0 y1 y2 n/2-bit security n-bit-security

2 / 14

PRP-to-PRF Conversion

◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one

3 / 14

PRP-to-PRF Conversion

◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion

3 / 14

PRP-to-PRF Conversion

◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion

◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound

3 / 14

PRP-to-PRF Conversion

◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion

◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound ◮ Conversions like summation and truncation achieve beyond birthday bound security

3 / 14

Summation and Truncation

P P y x0 x1

4 / 14

Summation and Truncation

P P y x0 x1 ◮ Sums two consecutive calls

4 / 14

Summation and Truncation

P P y x0 x1 ◮ Sums two consecutive calls ◮ n-bit security

4 / 14

Summation and Truncation

P P y x0 x1 P y x

n a n − a

◮ Sums two consecutive calls ◮ n-bit security

4 / 14

Summation and Truncation

P P y x0 x1 P y x

n a n − a

◮ Sums two consecutive calls ◮ n-bit security ◮ Truncates a call to the first a bits

4 / 14

Summation and Truncation

P P y x0 x1 P y x

n a n − a

◮ Sums two consecutive calls ◮ n-bit security ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits

4 / 14

Summation and Truncation

P P y x0 x1 P y x

n a n − a

◮ Sums two consecutive calls ◮ n-bit security ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ Used in the key derivation function of GCM-SIV

4 / 14

Summation and Truncation

P P y x0 x1 P y x

n a n − a

◮ Sums two consecutive calls ◮ n-bit security ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ Used in the key derivation function of GCM-SIV ◮ n − a/2-bit security

4 / 14

Summation-Truncation Hybrid

◮ Instead of discarding bits, we can reuse them by applying summation

5 / 14

Summation-Truncation Hybrid

P P u v w x0 x1

n a n − a n a n − a

◮ Instead of discarding bits, we can reuse them by applying summation ◮ This leads to the Summation-Truncation Hybrid (STH)

5 / 14

Summation-Truncation Hybrid

P P u v w x0 x1

n a n − a n a n − a

◮ Instead of discarding bits, we can reuse them by applying summation ◮ This leads to the Summation-Truncation Hybrid (STH) ◮ Outputs n − a extra bits compared to truncation

5 / 14

Summation-Truncation Hybrid

P P u v w x0 x1

n a n − a n a n − a

◮ Instead of discarding bits, we can reuse them by applying summation ◮ This leads to the Summation-Truncation Hybrid (STH) ◮ Outputs n − a extra bits compared to truncation ◮ But we show that it has equal security!

5 / 14

Summation-Truncation Hybrid

P P u v w x0 x1

n a n − a n a n − a

◮ Instead of discarding bits, we can reuse them by applying summation ◮ This leads to the Summation-Truncation Hybrid (STH) ◮ Outputs n − a extra bits compared to truncation ◮ But we show that it has equal security! ◮ Identical to summation when a = 0

5 / 14

Proof Sketch: Idea

P

$

← − Perm[n] P P u v w 1

6 / 14

Proof Sketch: Idea

P

$

← − Perm[n] P P u v w 1 ◮ Try to separate the truncation and summation parts

6 / 14

Proof Sketch: Separating STH

P

$

← − Perm[n] P P u v 1 P P w 1 u v

7 / 14

Proof Sketch: Separating STH

P

$

← − Perm[n] P P u v 1 P P w 1 u v ◮ Just write the two parts separately

7 / 14

Proof Sketch: Separating STH

P

$

← − Perm[n] P P u v 1 P P w 1 u v ◮ Just write the two parts separately ◮ Problem: there is a shared secret P

7 / 14

Proof Sketch: Permutation-Separated STH

P

$

← − Perm[n] P P u v 1 P′

$

← − P′ P′ w 1 u v

8 / 14

Proof Sketch: Permutation-Separated STH

P

$

← − Perm[n] P P u v 1 P′

$

← − P′ P′ w 1 u v ◮ We re-choose the permutation, but keep the same distribution

8 / 14

Proof Sketch: Permutation-Separated STH

P

$

← − Perm[n] P P u v 1 P′

$

← − Permcomp(u, v) P′ P′ w 1 u v ◮ We re-choose the permutation, but keep the same distribution ◮ Permcomp(u, v) is the set of all permutations that give (u, v) as truncation output

8 / 14

Proof Sketch: Permutation-Separated STH

P

$

← − Perm[n] P P u v 1 P′

$

← − Permcomp(u, v) P′ P′ w 1 u v ◮ We re-choose the permutation, but keep the same distribution ◮ Permcomp(u, v) is the set of all permutations that give (u, v) as truncation output ◮ No shared secret, as u and v are public!

8 / 14

Proof Sketch: Isolating Truncation

P

$

← − Perm[n] P P u v 1 P′

$

← − Permcomp(u, v) P′ P′ w 1 u v

9 / 14

Proof Sketch: Isolating Truncation

P

$

← − Perm[n] P P u v 1 u

$

← − {0, 1}a v

$

← − {0, 1}a P′

$

← − Permcomp(u, v) P′ P′ w 1 u v ◮ Replace the truncation by a random function

9 / 14

Proof Sketch: Isolating Truncation

P

$

← − Perm[n] P P u v 1 u

$

← − {0, 1}a v

$

← − {0, 1}a P′

$

← − Permcomp(u, v) P′ P′ w 1 u v ◮ Replace the truncation by a random function ◮ Permcomp(u, v) still well-defined, although u and v are generated differently

9 / 14

Proof Sketch: Summation Modifications

P′

$

← − Permcomp(u, v) P′ P′ 1 U V u v w = U ⊕ V

10 / 14

Proof Sketch: Summation Modifications

◮ Modified summation with subvalues U and V P′

$

← − Permcomp(u, v) P′ P′ 1 U V u v w = U ⊕ V

10 / 14

Proof Sketch: Summation Modifications

◮ Modified summation with subvalues U and V ◮ What are their distributions? P′

$

← − Permcomp(u, v) P′ P′ 1 U V u v w = U ⊕ V

10 / 14

Proof Sketch: Summation Modifications

◮ Modified summation with subvalues U and V ◮ What are their distributions? ◮ U has a uniform distribution P′

$

← − Permcomp(u, v) P′ P′ 1 U V u v w = U ⊕ V

10 / 14

Proof Sketch: Summation Modifications

◮ Modified summation with subvalues U and V ◮ What are their distributions? ◮ U has a uniform distribution ◮ For V it depends:

◮ If v = u, V is uniform from {0, 1}b ◮ If v = u, V is uniform from {0, 1}b \ {U}

P′

$

← − Permcomp(u, v) P′ P′ 1 U V u v w = U ⊕ V

10 / 14

Proof Sketch: Alternative Description

Pk

$

← − Perm[b] Pu Pv 1 U V w = U ⊕ V

11 / 14

Proof Sketch: Alternative Description

◮ We modify the construction to a family of permutations Pk

$

← − Perm[b] Pu Pv 1 U V w = U ⊕ V

11 / 14

Proof Sketch: Alternative Description

◮ We modify the construction to a family of permutations ◮ We get the same distributions

• f U and V

Pk

$

← − Perm[b] Pu Pv 1 U V w = U ⊕ V

11 / 14

Proof Sketch: Alternative Description

◮ We modify the construction to a family of permutations ◮ We get the same distributions

• f U and V

◮ U has a uniform distribution Pk

$

← − Perm[b] Pu Pv 1 U V w = U ⊕ V

11 / 14

Proof Sketch: Alternative Description

◮ We modify the construction to a family of permutations ◮ We get the same distributions

• f U and V

◮ U has a uniform distribution ◮ For V it depends:

◮ If v = u, V is uniform from {0, 1}b ◮ If v = u, V is uniform from {0, 1}b \ {U}

Pk

$

← − Perm[b] Pu Pv 1 U V w = U ⊕ V

11 / 14

Proof Sketch: Generalized Summation

Pk

$

← − Perm[b] Pu Pv w 1

12 / 14

Proof Sketch: Generalized Summation

◮ This construction is a generalization of summation Pk

$

← − Perm[b] Pu Pv w 1

12 / 14

Proof Sketch: Generalized Summation

◮ This construction is a generalization of summation ◮ We modify the proof of summation to cover this variant Pk

$

← − Perm[b] Pu Pv w 1

12 / 14

Proof Sketch: Generalized Summation

◮ This construction is a generalization of summation ◮ We modify the proof of summation to cover this variant ◮ Uses the χ2-technique Pk

$

← − Perm[b] Pu Pv w 1

12 / 14

Comparison

1 2 3 4

n 2 2n 3 3n 4

n Rate Security level (in bits) Summation Truncation STH Rate Security level Construction (in/out) (in bits) Summation 2 n Truncation n/a n − a/2 STH 2n/(n + a) n − a/2

13 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built ◮ An established PRP-to-PRF conversion is truncation

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built ◮ An established PRP-to-PRF conversion is truncation ◮ However, it discards valuable PRP-output

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built ◮ An established PRP-to-PRF conversion is truncation ◮ However, it discards valuable PRP-output ◮ We can reuse these bits without security loss with summation: STH

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built ◮ An established PRP-to-PRF conversion is truncation ◮ However, it discards valuable PRP-output ◮ We can reuse these bits without security loss with summation: STH ◮ Might be interesting to expand to more permutation calls

14 / 14

Conclusion

◮ A lot of cryptographic constructions use PRFs ◮ Dedicated PRFs are not conventional, block ciphers are more commonly built ◮ An established PRP-to-PRF conversion is truncation ◮ However, it discards valuable PRP-output ◮ We can reuse these bits without security loss with summation: STH ◮ Might be interesting to expand to more permutation calls

Thank you for your attention!

14 / 14